Government Surveillance Viewed though a Global PRISM
This op-ed originally appeared in Zeitschrift für Datenschutzin (ZD) in German and English.
Edward Snowden, the source of leaked documents about PRISM, warns in a recent interview in The Guardian newspaper that government surveillance in the digital age is “not just a US problem.”
Snowden’s revelations about the US National Security Agency have drawn legitimate concern both in the US and globally. But Snowden also gave The Guardian documents showing that Britain’s spy agency has secretly gained access to the cables that carry the world's phone calls and Internet traffic. Indeed, according to the documents, Britain’s GCHQ "produces larger amounts of metadata collection than the NSA."
Meanwhile, Der Spiegel has reported that Germany’s foreign intelligence agency, the BND, is monitoring communications at a Frankfurt communications hub that handles international traffic to, from and through Germany. And the BND is seeking to significantly extend its capabilities.
Important questions are being raised about the surveillance practices of the US government, and the Center for Democracy and Technology is at the center of efforts to reform US law. However, in assessing PRISM, it would be a mistake to focus only on trans-Atlantic differences over privacy. There are at least three bigger questions that industry, privacy advocates, and policymakers on both sides of the Atlantic and in the rest of the world have to grapple with.
First, the storage revolution and big data analytic capabilities, combined with fears about terrorism as well as more mundane demands of public administration, are driving a steadily growing governmental appetite for access to data held by the private sector. Second, as Internet-based services for communications, data storage, and social networking have become globalized, the transborder implications of those governmental demands pose very hard, unresolved challenges. At the least, it is increasingly likely that more than one country will have a legitimate interest in a certain item of data, placing companies in a difficult position. Third, national laws as well as international agreements having long allowed governments to exercise greater powers to collect data in the name of national security than in ordinary criminal law enforcement cases. In the post 9/11 world, activities conducted under these separate rules for national security have vastly expanded. Defining cybersecurity as a national security problem – as various nations are doing -- could further magnify the scope of data acquired under national security standards.
Before exploring the implications of these three issues, we should briefly address some misconceptions about US law. Some commentators in Europe have said that the US does not view privacy as a fundamental right and therefore does not afford privacy rights to non-citizens. The truth is more complicated. To begin with, communications privacy as between the individual and the government is a fundamental right in the US, protected by the Fourth Amendment to the US Constitution. For decades, the courts and Congress have struggled to apply that provision, which was written in 1789, to newer technologies, and the results have been uneven. But the Fourth Amendment, like most provisions in the US Constitution, applies equally to citizens and non-citizens who are physically inside the US. The federal statutes that define precise procedures for electronic surveillance require a court order, naming a specific person or account, to intercept the communications of both citizens and non-citizens inside the US, in both law enforcement and national security matters.
The problem from a European perspective is that the Fourth Amendment right to communications privacy does not limit US surveillance of non-citizens who are physically outside the US. However, even US citizens do not enjoy the full protection of the Constitution outside the US: With one exception (actually in the foreign intelligence area), the US government does not need a court order to conduct electronic surveillance outside the US even when targeting US citizens.
Privacy advocates in the US (including CDT) are calling for both greater transparency and tighter controls on US spying directed at both citizens and non-citizens. US Internet companies are increasingly publishing details about how many US government demands they receive and how many customer accounts are affected. (The details, in fact, prove that Internet companies are not giving the US government blanket access to communications content, either for citizens or non-citizens.) Indeed, Google and Microsoft have filed lawsuits seeking permission to disclose even more details about PRISM and other programs, so customers can see that the levels of intrusion are relatively low.
Long before the recent revelations, US companies had joined in a coalition with privacy advocates to lobby Congress to increase the limits on government access to communications in criminal investigations. In the Senate, legislation has already been reported out of committee to require law enforcement officials to obtain a warrant from a judge before they can compel a cloud service provider to disclose the contents of communications or documents stored on behalf of customers. The bill’s protections would apply equally to citizens and non-citizens, whether they are physically located in the US or not. Several bipartisan bills have been introduced in Congress to require a judicial warrant for police access to mobile phone tracking data.
National security presents by far the hardest challenges, surrounded by the greatest secrecy. Governments around the world maintain the prerogative to conduct surveillance for national security purposes. Privacy laws often give wider latitude to such activities, or exempt them altogether. In the EU, for example, both the current data protection directive and the proposed new regulation specifically exempt processing of data for national security purposes. National standards often afford lesser protection when surveillance is aimed at non-citizens outside a nation’s territory.
What we need, globally, is a robust debate about what the standards should be for government surveillance. That debate should be premised on much greater transparency about current practices. CDT and others have been exploring, on a comparative basis, national standards for surveillance, but in many countries government secrecy impedes an understanding of even what powers the government claims. (Ironically, as a result of the Snowden leaks, the US may now have more transparency on its practices and rules than any other country in the world.)
Of course, questions concerning government surveillance are compounded by another one of the Internet’s most difficult policy challenges: jurisdiction. Given the globalization of information society services, data pertaining to the citizens of one country may flow through or be stored in the territory of another country. It seems highly unlikely that any country will completely refrain from taking advantage of the access afforded by the presence of servers, cables, or corporate officials in its own territory.
The best way forward can be found within the context of international human rights law. International and regional human rights treaties recognize the right to privacy, but they also expressly state that the right is not absolute. For example, the European Convention on Human Rights states that a public authority can interfere with the right to privacy for national security purposes “in accordance with the law” when “necessary in a democratic society.” The challenge now is to put substance on that framework.
The most fully developed body of trans-national law on government surveillance and privacy is that of the European Court of Human Rights, which over the years has issued multiple decisions on wiretapping, including national security surveillance. The court has never suggested that secret surveillance is per se a violation of human rights. Instead, it has identified a set of checks and balances that could offer sufficient guarantees against the risk of abuse. These include the spelling out of standards in a public law, the role of the judiciary in approving and overseeing a surveillance system, requirements of specificity, necessity, justification and proportionality, limits on the retention and use of data, and effective remedies for misuse. Earlier this year, the UN’s special rapporteur on freedom of expression issued a report on government surveillance, specifically recommending that national legal frameworks be strengthened along similar lines.
The raising of legal standards on a global basis offers a partial solution to the challenges of transborder surveillance. But why would a country like the US ever agree to restrain its surveillance activities directed at persons outside the US? An answer may be found in economic self-interest. In a globally networked world, especially where the US has achieved a dominant position in cloud computing, social networking, and other Internet services, it is not enough for the US to simply protect people inside its territory. For many leading US companies, a majority of their customers are outside the US. The Internet is borderless, the national security concerns are borderless too, so legal standards need to catch up and recognize the implications of surveillance with cross-border implications.
In a networked world, the standards for government access must be judged not so much in the context of a debate between US and EU law (for they are closer than many assume) but rather on the basis of international human rights standards. The US government may argue that the PRISM standards actually comport with international law, but that will be an illuminating debate, in which Europeans must explain and defend their own laws by the same standards. If they can have this debate, then policymakers in Europe and the US can work with human rights institutions, civil society, and the Internet industry at large to move the rest of the world towards a set of principles based on transparency, proportionality and accountability.